pexels-media
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted data from the Pexels API and interpolates it into Bash commands for downloading files and creating metadata. • Ingestion points: JSON responses from api.pexels.com containing photo/video metadata (SKILL.md). • Boundary markers: None used in shell script examples to delimit API data from command structure. • Capability inventory: Uses Bash (curl, jq) and Write tools, providing a path for command injection if API data is manipulated. • Sanitization: API-sourced strings like photo IDs and URLs are directly interpolated into variables and file paths without escaping or validation.
- Data Exposure & Exfiltration (SAFE): The skill follows security best practices by requiring the Pexels API key to be provided via an environment variable ($PEXELS_API_KEY) rather than hardcoding it. No attempts to access sensitive local system files were identified.
Audit Metadata